I am having an issue with the regex pattern in mutate gsub function.
My current filter is below
filter {
# Log types are "SIEM_EVENTS", "TTP_EVENTS", "AUDIT_EVENTS".
mutate {
gsub => [ "[message]", "^<\d+>", "" ]
gsub => [ "[message]", "^{", "" ]
gsub => [ "[message]", "\\", "" ]
gsub => [ "[message]", "$}", "" ]
}
if ([message] =~ "ttpDefinition") {
kv {
source => "[message]"
field_split => ", "
value_split => ": "
}
mutate {
add_tag => [ "mimecast_ttp" ]
}
}
if ([message] =~ "auditType") {
kv {
source => "[message]"
field_split => ", "
value_split => ": "
}
mutate {
add_tag => [ "mimecast_audit" ]
}
}
else {
kv {
source => "[message]"
field_split => "|"
value_split => "="
}
mutate {
add_tag => [ "mimecast_siem" ]
}
}
}
I am still currently seeing logs like this coming into Kibana
{
"\"messageId\"" => "\"<160978436504.10440.13591654598331832802@celery3.chartio.net>\"}\u0000",
"\"userEmailAddress\"" => "someemailaddress",
"\"scanResult\"" => "clean",
"\"userAwarenessAction\"" => "N/A",
"\"subject\"" => "[External Sender] Chartio: Red Lobster Region Level DoorDash Ops\\r\\n Report for January 04,\\r\\n 2021",
"message" => "\"userEmailAddress\": \"someeamiladdress\", \"fromUserEmailAddress\": \"reports@chartio.com\", \"url\": \"https://chartio.com/doordash3/red-lobster-store-operations/report/a9ff35ed1b094b6bb8e69940088755ca.pdf\", \"ttpDefinition\": \"Default URL Protection Definition\", \"subject\": \"[External Sender] Chartio: Red Lobster Region Level DoorDash Ops\\r\\n Report for January 04,\\r\\n 2021\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Computers & Technology\", \"sendingIp\": \"159.135.231.7\", \"userAwarenessAction\": \"N/A\", \"date\": \"2021-01-04T18:53:14+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [\"Body\"], \"messageId\": \"<160978436504.10440.13591654598331832802@celery3.chartio.net>\"}\u0000",
"host" => "127.0.0.1",
"\"emailPartsDescription\"" => "\"Body\"",
"\"url\"" => "someurlshownhere",
"\"userOverride\"" => "None",
"\"sendingIp\"" => "someipaddress",
"@version" => "1",
"\"route\"" => "inbound",
"\"category\"" => "Computers & Technology",
"\"adminOverride\"" => "N/A",
"\"ttpDefinition\"" => "Default URL Protection Definition",
"\"action\"" => "allow",
"\"actions\"" => "Allow",
"\"creationMethod\"" => "User Click",
"\"date\"" => "2021-01-04T18:53:14+0000",
"@timestamp" => 2021-01-04T18:53:56.984Z,
"tags" => [
[0] "mimecast_ttp",
[1] "mimecast_siem"
],
"\"fromUserEmailAddress\"" => "reports@chartio.com"
}
I am trying remove the backslashes and double quotation marks from both sides of field:value mappings in the message but nothing I am doing is correct.
Thanks for any help